<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>
Options API screen
</title>
</head>
<body bgcolor="#ffffff">
<h1>API选项屏幕</h1>
<p>
此屏幕允许您配置 <a href="../../../start/concepts/api.html">API</a> 选项：

<h3>启用</h3>

如果启用，则API可用于所有能够使用ZAP作为代理的计算机。<br/>

<h3>启用的UI</h3>

如果启用，则API Web UI可用于所有能够使用ZAP作为代理的计算机。
要访问API Web UI，请将浏览器指向ZAP正在监听的主机和端口。<br/>

<h3>只允许安全模式</h3>

如果启用，那么API将只能通过HTTPS使用。 否则，它将通过HTTP和HTTPS提供。<br/>

<h3>API密钥</h3>

必须在所有API操作和一些其它操作中指定密钥。<br/>
API密钥用于防止恶意网站访问ZAP API。<br/>
强烈建议您设置密钥，除非您在完全隔离的环境中使用ZAP。<br/>

<h3>允许使用API的地址</h3>

默认情况下，只有运行ZAP的计算机才能访问ZAP API。<br/>
您可以通过添加合适的正则表达式模式来允许其它计算机访问API。<br/>
您应该只添加您信任的IP地址。<br/>
请注意，ZAP API现在也检查主机头，因此它也必须是允许的地址之一。

<h3>禁用API密钥</h3>

选择此选项将禁用API密钥。<br/>
除非您在完全隔离的环境中使用ZAP，否则不建议使用ZAP，因为它允许恶意站点访问ZAP API。

<h3>不需要用于安全操作的API密钥</h3>

如果启用，那么视图或其它被视为“安全”的操作不需要API密钥，换言之，不对ZAP进行任何更改的操作。 
但是这样的操作可以访问ZAP数据，如警报，消息和文件系统路径。  
Web应用程序也可以使用它们来检测ZAP的存在。

<h3>Report permission errors via API</h3>

If enabled then ZAP will report permission errors via the API, which can be used by web applications to detect the presence of ZAP.
This is not a serious problem in a safe environment but if you are using ZAP against potentially malicious sites then you should not enable it.

<h3>Report error details via API</h3>

If this option is selected then more error details are returned via the API.<br/>
This is not recommended except for debugging purposes as these error messages can leak information to malicious sites.<br/>
Note that the full error details are always written to the ZAP log file. 

<h3>Autofill API key in the API UI</h3>

If this option is selected then the API key is automatically included in the API UI.<br/>
This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API Key.<br/>

<h3>Enable JSONP</h3>

Selecting this option enables the JSONP format.<br/>
This can be useful for some applications, but it is generally not recommended as it increases the ZAP attack surface area, ie the features that a malicious site can abuse.<br/>
If JSONP is enabled then all API operations using JSONP (including views) will require the API key to prevent malicious sites from accessing sensitive information maintained by ZAP, such as session keys. 

<h2>See also</h2>
<table>
<tr><td>&nbsp;&nbsp;&nbsp;&nbsp;</td><td>
<a href="../../overview.html">UI Overview</a></td><td>for an overview of the user interface</td></tr>
<tr><td>&nbsp;&nbsp;&nbsp;&nbsp;</td><td>
<a href="options.html">Options dialogs</a></td><td>for details of the other Options dialog screens</td></tr>
</table>

</body>
</html>
